What All Singapore Organisations Need to Know About GDPR Today

Did you know that the new European Union (EU) General Data Protection Regulation law, better known as the GDPR, is effective 25 May 2018? The GDPR is a new legislation adopted by the European parliament and European Council to bring greater strength and consistency to the rights of EU citizens regarding their personal data.

According to a recent Veritas study[1] on GDPR (reported in December 2017), more than half of organisations in Singapore (56 per cent) are concerned that they will not be able to meet the new EU requirements, and only 18 per cent feel they are already GDPR compliant. However, it is encouraging to note that the majority (95 per cent) of the organisations questioned plan to drive behavioural changes through training, rewards and contracts to help ensure that they comply with GDPR policies.

How GDPR will affect organisations secure data in Singapore

Even though the GDPR is an EU regulation, it also applies to organisations anywhere in the world that handle the data of European citizens and this includes organisations in Singapore. As a destination that attracts many EU visitors and with the EU as a major trading partner, a significant number of organisations in Singapore are required to make changes in order to comply with the new legislation. Fortunately, the changes that organisations are required to make could also indirectly benefit the residents here.

Consumers have better control over personal data

In Singapore, consumers’ personal data is protected by the Personal Data Protection Act (PDPA). One of the main differences between the GDPR and PDPA is the amount of control consumers are able to exercise over organisations who collect their data. Under the GDPR, consumers will have the right “to be forgotten” and request for the deletion or removal of their personal data from company records at any time. In order to abide by the GDPR, organisations will not be allowed to retain personal information beyond the stated purpose for which they obtained the data. The removal of “implied consent” and “opt out” models of marketing will give individuals additional reassurance on the security of their personal information as companies must ensure data is purged in a timely manner. Consumers can also request for a copy of their data organisations hold, at no additional charge, which means any processing costs will have to be borne by the organisation.

How to be GDPR compliant

Being GDPR compliant not only protects your organisation from hefty penalties, but it also enhances trust and goodwill with existing and potential consumers. Here are some ways you can be compliant:

Practice data minimisation – Data minimisation is a principle which states that collected and processed data should not be held or further used unless it is for a specific reason. Data minimisation also serves as the best practice with maintaining customer trust and reducing the risk of unauthorised access.

Implement sound policies – Such policies should be established to provide an additional layer of checks and balances. This is to watch for, and prevent, possible human error. These additional checks should also ensure the strict adherence to standard operating procedures and serve as an extra line of defence.

Appoint a Data Protection Officer (DPO) – As part of the being GDPR and PDPA compliant, organisations in Singapore are required to appoint a DPO. The DPO oversees an organisation’s data protection responsibilities and ensures compliance.

ABS CertifiedShred-it has been certified by the Association of Banks in Singapore (ABS) as an approved outsourced service provider. OSPAR (Outsourced Service Provider’s Audit Report) assesses control and governance, and standardises requirements and auditing processes for firms providing services to the financial industry, confirmed by an annual independent audit.

NAID MemberShred-it Singapore is a NAID Member, adhering to the stringent security practices and procedures established by the National Association for Information Destruction.